class ActionDispatch::ContentSecurityPolicy
Configures the HTTP Content-Security-Policy response header to help protect against XSS and injection attacks.
Example global policy:
Rails.application.config.content_security_policy do |policy| policy.default_src :self, :https policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
Constants
- DEFAULT_NONCE_DIRECTIVES
- DIRECTIVES
- MAPPINGS
Attributes
Public Class Methods
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 173 def initialize @directives = {} yield self if block_given? end
Public Instance Methods
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 201 def block_all_mixed_content(enabled = true) if enabled @directives["block-all-mixed-content"] = true else @directives.delete("block-all-mixed-content") end end
Specify whether to prevent the user agent from loading any assets over HTTP when the page uses HTTPS:
policy.block_all_mixed_content
Pass false
to allow it again:
policy.block_all_mixed_content false
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 290 def build(context = nil, nonce = nil, nonce_directives = nil) nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil? build_directives(context, nonce, nonce_directives).compact.join("; ") end
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 178 def initialize_copy(other) @directives = other.directives.deep_dup end
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 217 def plugin_types(*types) if types.first @directives["plugin-types"] = types else @directives.delete("plugin-types") end end
Restricts the set of plugins that can be embedded:
policy.plugin_types "application/x-shockwave-flash"
Leave empty to allow all plugins:
policy.plugin_types
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 230 def report_uri(uri) @directives["report-uri"] = [uri] end
Enable the report-uri directive. Violation reports will be sent to the specified URI:
policy.report_uri "/csp-violation-report-endpoint"
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 243 def require_sri_for(*types) if types.first @directives["require-sri-for"] = types else @directives.delete("require-sri-for") end end
Specify asset types for which Subresource Integrity is required:
policy.require_sri_for :script, :style
Leave empty to not require Subresource Integrity:
policy.require_sri_for
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 264 def sandbox(*values) if values.empty? @directives["sandbox"] = true elsif values.first @directives["sandbox"] = values else @directives.delete("sandbox") end end
Specify whether a sandbox should be enabled for the requested resource:
policy.sandbox
Values can be passed as arguments:
policy.sandbox "allow-scripts", "allow-modals"
Pass false
to disable the sandbox:
policy.sandbox false
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 282 def upgrade_insecure_requests(enabled = true) if enabled @directives["upgrade-insecure-requests"] = true else @directives.delete("upgrade-insecure-requests") end end
Specify whether user agents should treat any assets over HTTP as HTTPS:
policy.upgrade_insecure_requests
Pass false
to disable it:
policy.upgrade_insecure_requests false
Private Instance Methods
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 309 def apply_mapping(source) MAPPINGS.fetch(source) do raise ArgumentError, "Unknown content security policy source mapping: #{source.inspect}" end end
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 296 def apply_mappings(sources) sources.map do |source| case source when Symbol apply_mapping(source) when String, Proc source else raise ArgumentError, "Invalid content security policy source: #{source.inspect}" end end end
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 331 def build_directive(sources, context) sources.map { |source| resolve_source(source, context) } end
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 315 def build_directives(context, nonce, nonce_directives) @directives.map do |directive, sources| if sources.is_a?(Array) if nonce && nonce_directive?(directive, nonce_directives) "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'" else "#{directive} #{build_directive(sources, context).join(' ')}" end elsif sources directive else nil end end end
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 353 def nonce_directive?(directive, nonce_directives) nonce_directives.include?(directive) end
Source
# File lib/action_dispatch/http/content_security_policy.rb, line 335 def resolve_source(source, context) case source when String source when Symbol source.to_s when Proc if context.nil? raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}" else resolved = context.instance_exec(&source) apply_mappings(Array.wrap(resolved)) end else raise RuntimeError, "Unexpected content security policy source: #{source.inspect}" end end